In the past 18 months, India's regulatory landscape for software security has transformed dramatically. CERT-In's Technical Guidelines formalised Bill of Materials management as a compliance obligation. SEBI's CSCRF mandated software supply chain transparency for all Regulated Entities. RBI's cyber security framework tightened requirements for banks and NBFCs. And for organisations that had assumed "SBOM" was a niche developer concern, the message is now unambiguous: BOM compliance is a board-level risk issue.
The challenge? Most organisations don't even know all the BOMs they're required to produce — let alone have the tools to generate them. This guide explains exactly what's required, and how O3 Security's BOM Management Suite makes compliance achievable.
The Six Bills of Materials Indian Regulators Now Expect
When most people hear "BOM compliance," they think of SBOM — the Software Bill of Materials. But India's regulatory framework is considerably broader. CERT-In's guidelines, combined with SEBI CSCRF and RBI expectations, effectively require organisations to maintain visibility across six distinct BOM types:
CERT-In's 21 Mandatory SBOM Attributes — What Exactly Is Required
Under CERT-In SBOM Guidelines v2.0, every software component in your applications must have 21 specific attributes maintained accurately and continuously. These are not optional metadata fields — they are mandatory compliance requirements:
- Identity attributes: Component Name, Version, Unique Identifier, Hash/Checksums
- Supply chain attributes: Supplier, Component Origin, Author of SBOM Data
- Dependency attributes: Component Dependencies, Relationship Tree, Structured Property
- Risk attributes: Vulnerabilities, Patch Status, Criticality, Usage Restrictions
- Lifecycle attributes: Release Date, End-of-Life Date, Timestamp, Archive Property
- Legal attributes: Component License, Executable Property, Comments/Notes
The compliance challenge: A typical enterprise application has 500–2,000 open-source dependencies. Manually maintaining 21 attributes for each, continuously updated as new versions are released and new CVEs disclosed, is operationally impossible. You need automated tooling — and O3 Security generates all 21 automatically.
SEBI CSCRF — What It Means for Your Software Supply Chain
SEBI's Cybersecurity and Cyber Resilience Framework for Regulated Entities (CSCRF) was released in 2024 and is already in effect for top-tier REs. The framework requires that financial market participants maintain visibility into software components used in critical financial applications — a requirement that directly mandates SBOM capabilities.
Key SEBI CSCRF obligations related to BOM compliance include software supply chain risk management, third-party software risk assessment, vulnerability management within defined SLAs, and incident response capabilities that require knowing exactly which systems are affected when a new vulnerability is disclosed. The 2024 Log4Shell and XZ Utils supply chain incidents demonstrated precisely why these requirements matter — organisations without SBOM visibility spent weeks discovering affected systems, while those with automated SBOMs identified exposure in hours.
The CBOM Imperative: Why Cryptographic Governance Is Urgent
The CBOM requirement is one that most Indian organisations are completely unprepared for. A Cryptographic Bill of Materials inventories every cryptographic asset in your environment — every algorithm, key, certificate, and protocol in use. O3 Security's CBOM capability discovers these assets automatically across cloud environments, on-premise infrastructure, application code, and APIs.
Why is this urgent? Two reasons. First, CERT-In and RBI expect organisations to demonstrate that their cryptographic implementations meet current security standards — meaning you need to know which systems are using deprecated algorithms (MD5, SHA-1, DES, RSA-1024, TLS 1.0/1.1). Second, quantum computers running Shor's Algorithm will break RSA and ECC — the algorithms protecting most financial transactions today. The NIST post-quantum standards are now finalised. India's financial sector needs a migration plan, and that plan starts with a CBOM.
# Organisation: FinanceCorp India | Scan: 2025-05-01
SBOM STATUS
Applications scanned: 47 | Components tracked: 12,847
Critical CVEs: 3 | High: 18 | Medium: 124
CERT-In 21 attributes: 21/21 ✓ | Formats: SPDX, CycloneDX
CBOM STATUS
Cryptographic assets: 2,341
Quantum-vulnerable (RSA/ECC): 847 assets across 23 services
Expired certificates: 14 | Expiring <30 days: 38
Deprecated algorithms (MD5/SHA-1): 12 instances
AIBOM STATUS
AI models tracked: 8 | Training datasets: 15
Framework versions: TensorFlow 2.13, PyTorch 2.1
# Post-Quantum Readiness Score: 41/100 — Action Plan Generated
AIBOM: The New Frontier of Regulatory Transparency
As Indian financial institutions deploy AI-powered fraud detection, credit scoring, and customer service systems, CERT-In's AIBOM requirements become directly relevant. An AI Bill of Materials inventories AI models, training datasets, frameworks, hardware dependencies, and known adversarial vulnerabilities. For regulated financial institutions using AI in customer-facing decisions, AIBOM documentation also supports responsible AI governance requirements emerging from RBI and SEBI's AI guidance.
How O3 Security Makes BOM Compliance Achievable
O3 Security is the only platform in India that generates all six BOM types — SBOM, CBOM, QBOM, AIBOM, HBOM, and SaaSBOM — in a unified platform. Built and hosted entirely in India (MeitY-empaneled data centres), it satisfies data residency requirements that are increasingly important under India's Digital Personal Data Protection Act 2023.
The platform integrates directly with your CI/CD pipelines and source code repositories, generating SBOMs automatically on every build — in both SPDX and CycloneDX formats. For CERT-In audits, O3 Security generates on-demand compliance evidence packages that directly address the 21 mandatory attributes and the operational requirements. For SEBI CSCRF audits, the platform produces supply chain risk reports that demonstrate your vulnerability management programme to regulators.
🔒 Get Your BOM Compliance Assessment — Free
Request a 14-day trial of O3 Security's complete BOM Management Suite. Our experts will assess your current SEBI/CERT-In compliance posture and generate your first SBOM and CBOM during onboarding.
Start Free 14-Day BOM Suite Trial →Deployment Options That Meet Every Regulatory Requirement
O3 Security offers four deployment models: SaaS (MeitY-empaneled, India-hosted cloud), On-Premises (full data control, local keys, offline validation), Hybrid (separate data and analytics planes), and Air-Gapped (zero network footprint, for defence and critical infrastructure). All four models offer full feature parity — no capability is reserved for one deployment mode.
The message from Indian regulators is clear: BOM management is no longer optional. CERT-In, SEBI, and RBI have made software supply chain visibility a compliance requirement, not a best practice. Organisations that begin their BOM programme now will have clean audit evidence, time to address compliance gaps methodically, and a competitive advantage in regulated procurement processes. Organisations that wait will face emergency compliance programmes, compressed timelines, and potential regulatory action. O3 Security makes starting easy — and makes compliance sustainable.